On IMAP with cPanel pass I can see all email accounts

[cosmin]

Hello!
If I create a IMAP email account in Opera or other email client, with cPanel password I can see all emails from all accounts. How can I block this?

Thank you very much!

[chirpy]

I'm unclear - are you saying that you can log into any cPanel account on the server into their IMAP account using just one password? Or are you saying that if you login to a cPanel IMAP account you can somehow view all cPanel accounts email on the server? I don't see how you'd be able to do either.

[challii]

I *think* he is saying if he creates account a@domain.com and b@domain.com and then logs into IMAP with his cpanel username and password and not a@domain.com and that password he can see both a@domain.com and b@domain.com's email which is perfectly normal.

[dwykofka]

Solution, Quit using your (admin) cpanel account as an email account..

I see this all the time usually with resellers because I tell my clients to pick an admin name seperate from their email address's.

[Michael2820]

I know this thread started years ago, but I experience same thing. I log in to my cPanel with user=admin (which is normal) and my host offers me several domains for a good price. I have then offered friends to host with me and I have made them email accounts, BUT when I log in as admin in cPanel and go Email Manager -> Webmail -> Go to secure Webmail login -> Select Horde, I can see EVERYTHING. I can read all emails, I can do anything, as if I was logged into all email accounts at the same time.

My goodness, what is this ?
PS I am experienced pc user since 1984 ;-)

[cPanelTristan]

Hello,

You could have seen all emails anyway as they are stored in /home/username/mail/domain.com/emailuser location where username is your cPanel username, domain.com is your domain name and emailuser is the email user's name. Since you have the cPanel account, you could FTP into the /home/username location, change to the directory with the mail and then read the emails for any users. It is your account after all. If you do not want to be able to read their emails, then you can choose not to read them. There is no way to prevent the account owner from having access to this data.

Thanks.

[Michael2820]

Hello Tristan
Thank you for replying.

I do not want to be able to read all emails, but I can

You are saying: "There is no way to prevent the account owner from having access to this data." Does that mean:

1. This is the way we the programmers want(ed) it to be
2. This is the way, because we do not know how to programme it differently

or maybe reason #3 ?

Please, I am asking out of curiousity, not to critisize you, but I was somehow surprised, when I found out today, because I thought it was safe for the other email owners.
Michael, Denmark

[cPanelTristan]

Hello,

This is the way because you own the account and your username owns their files. If you don't want to see their emails, then you'd need to purchase separate hosting accounts for each user or not read them.

Any time a user owns the files (username:username ownership), they can see those files. This is the way it is on the system for Linux and FreeBSD servers.

It is like having something sent to your mailing address, you have access to the package when it arrives. You do not have to open the package but it is there in your home. It's up to you to either leave it alone for the person it has been addressed to or open it up. No-one is going to prevent you from opening it once it gets to your owned home location. Once the emails are on your account, no-one can stop you from seeing them other than root user who can change permissions where you cannot see them. The root user can see everything on the system.

Again, if you don't want to see the emails, then you need to purchase separate hosting accounts for them, or you would not read them. Otherwise, let them know you can see the data and let them decide.

Thank you.

[Michael2820]

Tristan, Why do you keep avoiding answering my question?

[cPanelDon]

I know this thread started years ago, but I experience same thing. I log in to my cPanel with user=admin (which is normal) and my host offers me several domains for a good price. I have then offered friends to host with me and I have made them email accounts, BUT when I log in as admin in cPanel and go Email Manager -> Webmail -> Go to secure Webmail login -> Select Horde, I can see EVERYTHING. I can read all emails, I can do anything, as if I was logged into all email accounts at the same time.

My goodness, what is this ?
PS I am experienced pc user since 1984 ;-)

Hello Tristan
Thank you for replying.

I do not want to be able to read all emails, but I can

You are saying: "There is no way to prevent the account owner from having access to this data." Does that mean:

1. This is the way we the programmers want(ed) it to be
2. This is the way, because we do not know how to programme it differently

or maybe reason #3 ?

Please, I am asking out of curiousity, not to critisize you, but I was somehow surprised, when I found out today, because I thought it was safe for the other email owners.
Michael, Denmark

Accessing Webmail using the cPanel username and password allows access to e-mail accounts that are managed by that same cPanel account; this is by design. cPanel users are also system users; however, normal e-mail accounts are not also system users. As a cPanel user is also a system user, they will, inherently, have access to all data in their home directory on the server's file system, which includes e-mail; this is normal.

Accessing Webmail using a normal e-mail account, such as when the login username is in the format of "user@domain.tld", will permit access only to the specific e-mail account that was used when logging-in. Normal e-mail accounts, not like a cPanel user, may access only their own e-mails stored within their specific e-mail account.

In conclusion, you may avoid seeing all e-mails within your cPanel account by not accessing Webmail using the cPanel username and password, and instead, ensure to access Webmail using only the specific login username and password for a single e-mail account. To clarify, a cPanel username does not include the "@domain.tld" part; however, the usename for an e-mail account does include the "@domain.tld" part, just like the full e-mail address.

[cPanelDon]

Solution, Quit using your (admin) cpanel account as an email account..

I see this all the time usually with resellers because I tell my clients to pick an admin name seperate from their email address's.

I believe the last reply in this thread from 2005 may help to clarify a solution.

If you prefer to use an e-mail address like "admin@domain.tld", simply create an e-mail account using your desired address and then ensure that when accessing webmail, IMAP, POP3, or SMTP, to use the full e-mail address as the login username and not the cPanel/system username.

[Michael2820]

I hope, that some people have some fun reading this. I give up. It is like talking to a wall. In danish we say about such a situation: "You ask in the West and get an answer in the East" ;-)

[cPanelDavidG]

I hope, that some people have some fun reading this. I give up. It is like talking to a wall. In danish we say about such a situation: "You ask in the West and get an answer in the East" ;-)

I am having difficulty understanding what it is you are asking in this thread. If you are asking if you, as a cPanel user, can somehow be blocked from viewing the emails of accounts you create - the answer is no.

However, email users cannot view the contents of each others' accounts - only the cPanel user has this ability.

[Michael2820]

OK, I can see now, that several of you guys are coming to assist. I will try again, and you probably have to "think out of the box". You are too much into your own world maybe, but I give it another try.

cPanelDavidG: You are very close at understanding, what I want to ask you about, but only close. I have understood, how cPanel works, i.e. that I as admin can see and do everything with emails created under cPanel. This is NOT a technical question. It is like when buying a car, and this car is only able to drive forwards, and you would like it to go backwards too. You want the product to work in a different way OR you want options to the product.

cPanel has been programmed in the way, that we have been repeating several times, no need to repeat that again.

My question has always been:

Could you programme cPanel, so it was possible, that I was blocked from an email account, if I did not know the password to this specific email account (in practise I would let a friend of mine enter the password without me looking or via a remotedly controlled computer (I use teamviewer).

I just started with another webhost and they do not use cPanel ;-) and the control panel works like I want it to work: If a friend of mine enters the pw for her email account without my knowing, I can NOT do anything with her emails. The only thing I CAN do is to change the pw to her email account, but then she knows, that I have changed it, because now she cannot access her account.

If you do not understand it now, then please do NOT ask me again to repeat, what I am asking you about. Shortly: I ask if you can programme a new option in cPanel to satisfy my wish.

If you do understand it, then consider my writing as a suggestion to make cPanel better ;-)

Michael Maardt, Denmark

[cPanelDavidG]

OK, I can see now, that several of you guys are coming to assist. I will try again, and you probably have to "think out of the box". You are too much into your own world maybe, but I give it another try.

cPanelDavidG: You are very close at understanding, what I want to ask you about, but only close. I have understood, how cPanel works, i.e. that I as admin can see and do everything with emails created under cPanel. This is NOT a technical question. It is like when buying a car, and this car is only able to drive forwards, and you would like it to go backwards too. You want the product to work in a different way OR you want options to the product.

cPanel has been programmed in the way, that we have been repeating several times, no need to repeat that again.

My question has always been:

Could you programme cPanel, so it was possible, that I was blocked from an email account, if I did not know the password to this specific email account (in practise I would let a friend of mine enter the password without me looking or via a remotedly controlled computer (I use teamviewer).

I just started with another webhost and they do not use cPanel ;-) and the control panel works like I want it to work: If a friend of mine enters the pw for her email account without my knowing, I can NOT do anything with her emails. The only thing I CAN do is to change the pw to her email account, but then she knows, that I have changed it, because now she cannot access her account.

If you do not understand it now, then please do NOT ask me again to repeat, what I am asking you about. Shortly: I ask if you can programme a new option in cPanel to satisfy my wish.

If you do understand it, then consider my writing as a suggestion to make cPanel better ;-)

Michael Maardt, Denmark

Okay, let's establish a few basic facts first:

- Email is stored on a server as files. Currently, under the maildir format cPanel&WHM uses, these are unencrypted plain-text files.
- Maildir is a popular industry standard for storing email because it provides high performance by means of storing individual messages in individual files.
- User root on FreeBSD or Linux has access to every file on their server, regardless of what control panel they are or are not running.



Are you okay with root having access to those emails?